In message <e754e90906130925m6d9f723eh71090a331a427...@mail.gmail.com>, R Dicai
re writes:
> Hi folks,
> Can both nsec and nsec3 records be used simultaneously in a zone file,
> or is it an either/or?
NSEC and NSEC3 chains are expected to exist in a zone during
a incremental transition between the two ways of negatively
signing a zone. If there is a complete NSEC3 chain (indicated
by a NSEC3PARAM record at the zone apex) servers are supposed
to return NSEC3 proofs.
NSEC3 is more expensive that NSEC is and really should not
be used unless you need the features NSEC3 provide. There
are additional cost on both the authoritative servers and
on the validating servers when you use NSEC3.
TLD's can make use of OPTOUT which is why you see ORG and
GOV using NSEC3. End user zones generally can't make use
of OPTOUT.
Unless you really need to hide the presence of names in a
zone then you shouldn't use NSEC3.
Note: NSEC3 is a waste of time for IN-ADDR.ARPA, IP6.ARPA
and RBL type zones which use IP addresses as they are highly
structured and you can enumnerate the contents without
walking the NSEC chain.
Mark
> Thanks
> --
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
